SUMMARY: Tracking what a user does

From: Systems Administrator (sysadmin@astrosun.tn.cornell.edu)
Date: Fri Mar 08 1996 - 16:35:05 CST


Let me first start out by saying that my reasons for asking the above
question has to do with system security. The user in question is a
generic account that anyone can and does log into at any time in order
to maintain their web documents. There is no one specific user to ask
what he/she is doing at any one time and thus the reason not to alert
the users all of the time. Therefore, I am concerned that at any one
time the security of this account may be compromised to others in the
same public room. The above was asked so that I can log the commands
and verify that they are "legitimate" commands...and not people trying
to crack the root password; and not to spy! I do not support using the
following for a means of spying on users.

Sorry for the outburst...now back to the show!

My original post:

I have a situation where there are several machines on the same net with
nfs mounts to a main server. People constantly rlogin/rsh to any other
machine on the net and use it's resources. This is not a problem. I am
courious what a specific user may be running on my machine. I don't
really notice any significant drain of my resources at any time. I also
check the processes periodically to see if others use this machine.

When I do a 'last' I see that this user logs in quit often but usually
for a minute or less each time.

Is there any way that I can track when this user logs in and find out
what commands he/she is running? I don't really what to alert the user
at this time.
------------------------------------------------------------------------
Basically, I just enabled accounting on this one machine since it is
used by the generic user and for sysadmin purposes. Accounting did just
what I needed. see man accton.
------------------------------------------------------------------------
Thanks to:
------------------------------------------------------------------------
From: Glenn.Satchell@uniq.com.au (Glenn Satchell - Uniq Professional
Services

A couple of ideas:

- enable system accounting, this will give th ecommands that all users
ran.

- look at that user's command history (in ~user/.history). You should
be able to see when they did the rlogin to your machine and then a list
of commands that was run till they logged out.

------------------------------------------------------------------------
From: "Kai O'Yang" <oyang@mars.fcit.monash.edu.au>
Have you enabled accounting? I assume you're running Solaris 2.x, after
enabling accounting there is a command "lastcomm" that will print out
the
log of what all users did (for the last few hours).

Another very useful program is called lsof (search archie for
whereabouts)
It will tell u what file descriptor/tcp connection, etc a user/process
is using.
------------------------------------------------------------------------
From: "Jim Meritt" <jmeritt@smtpinet.aspensys.com>
Aside from lastcomm <username>?
------------------------------------------------------------------------
From: Karl Kopper <karl@dop.water.ca.gov>
>From another Solaris machine you could run snoop to
look at the packets
------------------------------------------------------------------------
From: bismark@alta.jpl.nasa.gov (Bismark Espinoza)
Use lastcomm
------------------------------------------------------------------------
From: Kevin Inscoe (CRC-LSG x2082) <kpi@hobbes.crc.com>
under SunOS 4.x do a man lastcomm.
------------------------------------------------------------------------
From: Jay Lessert <jayl@lattice.com>
man -k account
------------------------------------------------------------------------
From: Donnie Culanag <grnlake@dopamine.ca.boeing.com>
Cheers:
check out lastcomm .. might do what you want .. later
------------------------------------------------------------------------
From: Lyle Miller <lyle@ocs.com>
If you create a file called */var/adm/pacct* (in Solaris 2.X, anyway),
you
can run a command called *lastcomm*--this shows in reverse order every
single command run on the machine. This list includes time, duration and
which user ran the command :)

Try it! The output file can grow rather quickly, so keep it in check ;)
------------------------------------------------------------------------
From: dougj@xray.ufl.edu (Doug Jones)
if the shell is a csh, you can do a set history=100 and a set
savehist=100
in the .cshrc. Then wwhen the user logs out you can peruse through the
.histroy file in the account.

The caveat to this is that if the csh is terminated by a SIGTERM or
SIGKILL
the .history fiel will not be updated.

I believe that bash, tcsh, ksh have similar features also.

There is other solutions but this may be the easiest for you to
implement.
------------------------------------------------------------------------
From: cld@astro.caltech.edu (Cheryl L. Southard)
How about going over to the user and kindly asking them what they're
running on your computer?

Or how about turning on process accounting? Then you can see which
commands are being execed. Use the "accton" command to turn on
process accounting.

If you need to know more than that, you could possibly write a
program that grabs all screen i/o and stuffs it into a log file.
There might be ethical problems behind running such a program,
especially
if you don't forwarn your users. I used it once to track a hacker, but
wouldn't think of using it to spy on my users.
------------------------------------------------------------------------
Thanks again.

Vic Germani

-- 
***************************************************************
                      Systems Administrator
                      ---------------------
                   Space Sciences Building CRSR
   Mail all system related problems to one of the following:
sysadmin@astrosun.tn.cornell.edu   root@astrosun.tn.cornell.edu          
sysadmin@spacenet.tn.cornell.edu   root@spacenet.tn.cornell.edu
                              or see 
Vic Germani in room 402         germani@astrosun.tn.cornell.edu
***************************************************************



This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:10:55 CDT